Systems and methods for cyber security risk assessment

ABSTRACT

The present invention is directed to methods, systems, and non-transitory computer readable mediums which can evaluate cyber readiness of an organization. The methods can include: presenting a plurality of objective questions to a user; receiving answers to said plurality of objective questions from said user; determining based on said answers a risk rating for a threat origin of a cyber-attack; determining based on said answers a strength rating for an organizational safeguard against said threat origin; comparing said risk rating of said threat origin to said strength rating of said organizational safeguard; determining based on said comparison a cyber readiness of said organizational safeguard from said cyber-attack by said threat origin; and presenting the cyber readiness of said organizational safeguard. Systems and non-transitory computer readable mediums operating in a similar fashion as such systems are disclosed herein.

CROSS REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. application Ser. No.15/633,242 filed on Jun. 26, 2017, the entire contents of which arerelied upon and incorporated by reference.

TECHNICAL FIELD

The present disclosure relates to a system for cyber-risk assessment ofan organization, and more specifically, to modeling cyber readiness ofan organization against possible cyber-risks.

BACKGROUND

Cyber-attacks relate to malicious attempts through cyberspace orphysical access to alter, manipulate, destruct, deny, degrade or destroyan organization's computers or networks, or the information residing inthem, with the effect, in cyber space or the physical world, ofcompromising stability or prosperity of an organization. As such,cyber-attacks can come in many different forms including, but notlimited to, hacking, malware, ransomware, botnets, DoS, socialengineering, and phishing. Along these lines, cyber-attacks may comefrom different sources including, but not limited to, an attack fromoutside the organization, an attack from inside the organization byand/or through an individual within the organization, and a use ofphysical access.

As such, organizations must have multiple processes and technologies inplace to deter and defend against cyber-attacks, as well as must employevaluations to ensure their cyber readiness. However, given the numerousdifferent types of cyber-attacks, and the complexity of cyber-securityprocesses and measures, it is difficult to adequately determine thesufficiency of an organization's processes and technologies in deterringand defending against cyber threats.

SUMMARY OF THE INVENTION

In an embodiment of the present invention, a method for evaluating cyberreadiness of an organization is provided, including: presenting aplurality of objective questions to a user, wherein each of theobjective questions has one or more predefined answers to be selected bythe user; receiving answers to the plurality of objective questions fromthe user; determining based on the answers a risk rating for a threatorigin of a cyber-attack; determining based on the answers a strengthrating for an organizational safeguard against the threat origin;comparing the risk rating of the threat origin to the strength rating ofthe organizational safeguard; determining based on the comparison acyber readiness of the organizational safeguards from the cyber-attackby the threat origin; and presenting the cyber readiness rating of theorganizational safeguard.

In another embodiment of the present invention, a system for evaluatingcyber readiness of an organization is provided, including: a memorystorage device and a processor in communication with the memory storagedevice. The processor is configured to: present a plurality of objectivequestions to a user, wherein each of the objective questions has one ormore predefined answers to be selected by the user; receive answers tothe plurality of objective questions from the user; determine based onthe answers a risk rating for a threat origin of a cyber-attack;determine based on the answers a strength rating for an organizationalsafeguard against the threat origin; compare the risk rating of thethreat origin to the strength rating of the organizational safeguard;determine based on the comparison the cyber readiness of theorganizational safeguard from the cyber-attack by the threat origin; andpresent the cyber readiness rating of the organizational safeguard.

In yet another embodiment of the present invention, a non-transitorycomputer-readable medium tangibly storing computer program instructionsis provided, which when executed by a processor, causes the processorto: present a plurality of objective questions to a user, wherein eachof the objective questions has one or more pre-defined answers to beselected by the user; receive answers to the plurality of objectivequestions from the user; determine based on the answers a risk ratingfor a threat origin of a cyber-attack; determine based on the answers astrength rating for an organizational safeguard against the threatorigin; compare the risk rating of the threat origin to the strengthrating of the organizational safeguard; determine based on thecomparison a cyber readiness of the organizational safeguard from thecyber-attack by the threat origin; and present the cyber readinessrating of the organizational safeguard.

Other features and advantages will become apparent from the followingdescription, taken in connection with the accompanying drawings,wherein, by way of illustration and example, embodiments of theinvention are disclosed.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other features and advantages will be apparent fromthe following, more particular, description of various exemplaryembodiments, as illustrated in the accompanying drawings, wherein likereference numbers generally indicate identical, functionally similar,and/or structurally similar elements.

FIG. 1 illustrates an exemplary system that can be utilized to determinecyber readiness of an organization in accordance with embodiments of thepresent invention;

FIG. 2 illustrates an exemplary cyber readiness profile of anorganization in accordance with embodiments of the present invention;

FIG. 3 illustrates an exemplary process for determining an inherent riskprofile of an organization in accordance with embodiments of theinvention;

FIG. 4 illustrates an exemplary user interface presenting a plurality ofquestions to determine an inherent risk profile of an organization inaccordance with embodiments of the present invention;

FIGS. 5-9 illustrate exemplary portions of look-up tables fordetermining a risk rating for one or more threat actors against anorganization in accordance with embodiments of the invention;

FIGS. 10 and 11 illustrate exemplary processes for determining a riskrating for a threat source based on a risk rating of one or more threatactors against an organization for an inherent risk profile of theorganization in accordance with embodiments of the invention;

FIGS. 12-14 illustrate exemplary portions of look-up tables fordetermining a risk rating for one or more threat sources for an inherentrisk profile of an organization in accordance with embodiments of theinvention;

FIG. 15 illustrates an exemplary process for determining a cyberpreparedness profile of an organization in accordance with embodimentsof the invention;

FIG. 16 illustrates an exemplary user interface presenting questions todetermine a cyber preparedness profile of an organization in accordancewith embodiments of the present invention;

FIGS. 17A-F illustrate exemplary questions and answers for a user toselect in order to determine a cyber preparedness profile of anorganization in accordance with embodiments of the present invention;

FIG. 18 illustrates an exemplary data structure to determine a strengthrating for an organizational safeguard of a cyber preparedness profileof an organization in accordance with embodiments of the presentinvention;

FIG. 19 illustrates an exemplary cyber readiness profile of anorganization in accordance with embodiments of the present invention;

FIGS. 20 and 21 illustrate an exemplary look-up table to determine arelationship between a risk rating of a threat source and a strengthrating of an organizational safeguard in accordance with embodiments ofthe present invention;

FIG. 22 illustrates an exemplary method of determining a cyber readinessprofile of an organization in accordance with embodiments of the presentinvention; and

FIG. 23 illustrates a schematic diagram of an exemplary server that canbe utilized in accordance with embodiments of the present invention.

DETAILED DESCRIPTION OF THE PRESENT INVENTION

Reference will now be made in detail to various embodiments of thepresent invention, examples of which are illustrated in the accompanyingdrawings. It is to be understood that the figures and descriptions ofthe present invention included herein illustrate and describe elementsthat are of particular relevance to the present invention. It is alsoimportant to note that any reference in the specification to “oneembodiment,” “an embodiment” or “an alternative embodiment” means that aparticular feature, structure or characteristic described in connectionwith the embodiment is included in at least one embodiment of theinvention. As such, the recitation of “in one embodiment” and the likethroughout the specification does not necessarily refer to the sameembodiment.

The systems and methods disclosed herein are directed to evaluatingcyber readiness of an organization. Cyber readiness can refer to theprocess of integrated security measure across a system or infrastructureof an organization that monitors for and/or deters cyber threats.Referring now to FIG. 1, an exemplary system shown generally asreference 100 is provided for determining cyber readiness of anorganization. The system 100 can include a network 101, a server 102, acomputing device 103, and a firewall 104. Network 101 can comprise apublic and/or private network, such as a local area network (LAN), awide area network (WAN), the Internet, a virtual LAN (VLAN), anenterprise LAN, a virtual private network (VPN), an enterprise IPnetwork, or any combination thereof. Server 102 can store informationfor evaluating cyber readiness of the organization, as will be discussedin more detail below. Computing device 103 can provide access to theserver 102 to evaluate cyber readiness of the organization. Firewall 104can be provided between server 102 and computing device 103. Firewall104 can deter an unauthorized user from accessing a private network ofthe system 100. As such, a user can evaluate cyber readiness of theorganization from one or both of server 102 and computing device 103.The cyber readiness evaluation can provide a cyber preparedness profileof the organization, as will be discussed in more detail below.

Referring now to FIG. 2, an exemplary cyber readiness profile 105 of anorganization is illustrated. The cyber readiness profile 105 cancomprise a cyber preparedness profile 106 of an organization referencedagainst an inherent risk profile 107 of the organization. The cyberpreparedness profile 106 can comprise one or more evaluation categories108 a-e and a strength rating 109 a-e for each of the evaluationcategories 108 a-e. The evaluation categories 108 a-e can refer to oneor more internal processes of an organization designed to deter acyber-attack. For example, as illustrated, the evaluation categories 108a-e can comprise “Cybersecurity Framework,” “Insider Threat Management,”“Governance & Oversight,” “Incident Response & Disaster Recovery,” and“Physical Security;” however, other organizational safeguards can beincluded. “Cybersecurity Framework” can refer to an underlying frameworkfor assessing and/or improving an organization's ability to prevent,detect, and respond to cyber-attacks. “Insider Threat Management” canrefer to a process of preventing, combating, detecting, and monitoringemployees, vendors, and contractors from theft, fraud and damage ofproperty. “Governance & Oversight” can refer to an operating model thatorganizes risk-management and reporting processes to ensure that anorganization enters good governance, and conducts work in compliancewith regulation and strategic goals. “Incident Response” can refer to aprocess in addressing and managing a cyber-attack. “Disaster Recovery”can refer to a plan for recovering from a cyber-attack and continuingoperations. “Physical Security” can refer to protection of buildings andcomputer hardware from unauthorized access and/or tampering.

Moreover, the strength rating 109 a-e can refer to a quality level ofprotecting one or more organizational resources from one or more avenuesof a cyber-attack. As such, the strength rating 109 a-e can be aplurality of levels. The levels can be presented to a user in the formof text and/or color. According to an embodiment, the strength rating109 a-e can be presented to a user as “Good,” “Acceptable,” “Deficient,”or “TBD.” According to another embodiment, the strength rating 109 a-ecan be presented to a user as green, yellow, red, or gray. The colorgreen can represent “Good,” the color yellow can represent “Acceptable,”the color red can represent “Deficient,” and the color gray canrepresent “TBD.” “TBD” can refer to an insufficient amount ofinformation entered into the system for assessment of the organizationalsafeguard at hand.

The inherent risk profile 107 can comprise one or more threat vectors110 a-c and/or one or more threat origins 111 a-c. The threat vectors110 a-c can be a method in which a threat source attempts to alter,manipulate, destruct, deny, degrade or destroy an organizationalresource with or without authorized access. For example, as shown, thethreat vectors 110 a-c can be “Hacking,” “Malware/Ransomware,”“Botnets,” “DoS/DDoS,” “Use of Insider Employee,” “Via Trusted ThirdParty Provider/Vendor,” “Social Engineering (Not Phishing),” “Phishing,”“Vishing,” “Physical Access to Facility,” and “Dumpster Diving.”

Along these lines, the threat origins 111 a-c can refer to a method orlocation in which a threat origin attempts to alter, manipulate,destruct, deny, degrade or destroy an organizational resource with orwithout authorized access. For example, as shown, the threat origins 111a-c fall into categories such as “Attack from Outside,” “Use ofInsiders,” and “Use of Physical Access.” “Attack from Outside” can referto an individual outside of an organization attempting to access anorganizational resource by a connection to the organization that isavailable to the individual from the outside. “Use of Insiders” canrefer to an individual inside (e.g., employee) an organization, orrelated to the organization (e.g., vendor), using legitimate accessgranted to the individual with malicious intent. “Use of PhysicalAccess” can refer to an individual outside of an organization thatacquires unauthorized access to an organizational resource by gainingaccess to the organization's physical facilities or property.

As such, the threat origins 111 a-c can each comprise one or more threatvectors 110 a-c. Accordingly, the threat vectors 110 a-c can be groupedaccording to their threat origin 111 a-c. For example, as illustrated,the threat origin 111 a—“Attack from Outside”—can comprise the threatvectors 110 a—“Hacking,” “Malware/Ransomware,” “Botnets,” and “DoS/DDoS.” Also, threat origin 111 b—“Use of Insiders”—can comprise thethreat vectors 110 b—“Use of Insider Employee,” “Via Trusted Third PartyProvider/Vendor,” “Social Engineering (Not Phishing),” “Phishing,” and“Vishing.”

In addition, the inherent risk profile 107 can comprise a risk rating112 a-c for the threat vectors 110 a-c and/or a risk rating 113 a-c forthe threat origins 111 a-c. The risk ratings 112 a-c, 113 a-c can referto a likelihood of receiving a cyber-attack from the threat vectors 110a-c and/or threat origins 111 a-c. As such, the risk ratings 112 a-c,113 a-c for the threat vectors 110 a-c and/or threat origins 111 a-c cancomprise a plurality of levels. The plurality of levels can be the sameor different for the threat vectors 110 a-c and threat origins 111 a-c.Along these lines, the plurality of levels for the threat vectors 110a-c and/or threat origins 111 a-c can be the same or different thanthose of the evaluation categories 108 a-e.

Moreover, the risk rating 112 a-c, 113 a-c for the threat vectors 110a-c and/or the threat origins 111 a-c can be presented to a user in theform of text and/or color. According to an embodiment, the risk ratings112 a-c, 113 a-c of the threat vectors 110 a-c and/or the threat origins111 a-c can be presented to a user as “Very High,” “High,” “Medium,”“Low,” or “Very Low.” According to another embodiment, the risk ratings112 a-c, 113 a-c of the threat vectors 110 a-c and/or the threat origins111 a-c can be presented to a user as a medium shade of red, a lightshade of red, a medium shade of yellow, a medium shade of green, or alight shade of green. The medium shade of red can represent “Very High,”the light shade of red can represent “High,” the medium shade of yellowcan represent “Medium,” the medium shade of green can represent “Low,”and the light shade of green can represent “Very Low.”

To determine the inherent risk profile 107, an inherent risk assessmentmay be performed. Referring now to FIG. 3, an exemplary inherent riskassessment 114 is provided. The inherent risk assessment 114 cancomprise a plurality of questions 115 and a plurality of look-up tables116 corresponding to one or more of the questions 115. The questions canbe answered, for example, using drop down menus, radio buttons, checkboxes, or the like. The questions 115 can relate to the organization,such as the organization's industries, headquarters (country), andpresence (countries). The questions 115 relating to the organization'sindustries, headquarters, and presence can be utilized to determine alikelihood of being attacked by different threat actors 117 a-e, as willbe discussed in more detail below.

The look-up tables 116 can each comprise each possible answer orcombination of answers a user may select for a particular question and apreliminary risk rating relating to a likelihood of being attacked byone or more threat actors for each possible answer. The preliminary riskrating can be one of a plurality of threat levels and, thus, can be thesame or different for each of the look-up tables 116. Along these lines,each of the look-up tables can comprise the same threat actor(s) 117 a-e(e.g., “Organized Crime,” “Hactivists,” “Nation States/Competitor,”“Nation States/Disruption, Destruction,” and “Disgruntled Employees.”)

Based on the answers to one or more questions 115, the inherent riskassessment 114 can determine the risk of cyber-attack via one or morethreat actors 117 a-e and a cumulative risk rating 118 a-e for each ofthe threat actors 117 a-e. Along these lines, based on the threat actors117 a-e and their cumulative risk ratings 118 a-e, the inherent riskassessment 114 can also determine a risk rating 112 a-c for one or morethreat vectors 110 a-c of one or more threat origins 111 a-c.

Referring now to FIG. 4, an exemplary user interface 120 for presentinga plurality of questions to a user is provided. The user interface 120can comprise a plurality of categories 121 a-g each having one or morequestions. As such, one or more of the categories 121 a-g can compriseone or more questions relating to either the inherent risk assessment orthe cyber preparedness assessment. According to an embodiment, thecategories 121 a-g can be “Program Governance and Oversight,”“Identify,” “Protect,” “Detect,” “Respond,” “Recover,” and “Inherent.”For example, as shown, the “Inherent” category 121 g can comprise aplurality of questions relating to the inherent risk assessment. As willbe discussed in more detail below, the “Program Governance andOversight,” “Identify,” “Protect,” “Detect,” “Respond,” and “Recover”categories 121 a-f can each contain one or more questions relating tothe cyber preparedness assessment.

As such, the questions presented in categories 121 a-g can comprise oneor more objective questions having predefined answers for selection by auser. Alternatively, the questions presented in categories 121 a-g canpermit a user to manually input a free-form answer. As such, thequestions presented in categories 121 a-g can be for informationalpurposes only (free-form answers) and/or for the inherent riskassessment or the cyber preparedness assessment. According to anembodiment, the inherent risk assessment can only be based on one ormore objective questions having predefined answers for selection by auser. According to another embodiment, the questions permitting a userto manually input a free-form answer can only be used for informationalpurposes.

Referring now to FIG. 5, an exemplary portion 122 of a look-up table forone or more questions relating to an organization's industries isprovided. The look-up table can comprise each possible industry, orcombination of industries, a user can select for the objectivequestion(s) relating to the organization's industries and a preliminaryrisk rating relating to a likelihood of being attacked by each of thethreat actors 117 a-e given the organization's presence in eachindustry. The threat actors 117 a-e can be grouped into categories,including “Organized Crime,” “Hacktivists,” “Nation States/Competitor,”“Nation States/Disruption, Destruction,” and “Disgruntled Employee.”“Organized Crime” can refer to criminal activities that are planned andcarried out by one or more individuals. “Hacktivists” can refer to anindividual attempting to hack a website or computer network withoutpermission in an effort to convey a social or political message. “NationStates/Competitor” can refer to one or more nations that act with thegoal of industrial espionage. “Nation States/Disruption, Destructions”can refer to one or more nations that act with the goal of disrupting ordestroying an organization's resources. “Disgruntled Employee” can referto an employee of the organization who is angry or dissatisfied. Thepreliminary risk rating can be one of a plurality of threat levels. Thethreat levels can represent the relative likelihood of being attacked bya particular threat actor. For example, the threat levels can be “High,”“Medium,” or “Low”.

Upon selection of multiple industries, the inherent risk assessment canselect the highest risk rating for each of the threat actors 117 a-ecorresponding to the selected industries. For example, the “Aircraft”industry has a low risk of being attacked by “Organized Crime,” a mediumrisk of being attacked by “Hacktivists,” a high risk of being attackedby “Nation States/Competitor,” a high risk of being attacked by “NationStates/Disruption, Destruction,” and a high risk of being attacked by“Disgruntled Employees.” Whereas, the “Amusement Parks” industry has amedium risk of being attacked by “Organized Crime,” a medium risk ofbeing attacked by “Hacktivists,” a low risk of being attacked by “NationStates/Competitor,” a low risk of being attacked by “NationStates/Disruption, Destruction,” and a low risk of being attacked by“Disgruntled Employees.” Moreover, the “Hotels” industry has a high riskof being attacked by “Organized Crime,” a medium risk of being attackedby “Hacktivists,” a high risk of being attacked by “NationStates/Competitor,” a low risk of being attacked by “NationStates/Disruption, Destruction,” and a medium risk of being attacked by“Disgruntled Employees.”

As such, upon selection of both the “Aircraft” and “Amusement Parks”industries (and no others), the inherent risk assessment can determinethe organization has a medium risk of being attacked by “OrganizedCrime,” a medium risk of being attacked by “Hacktivists,” a high risk ofbeing attacked by “Nation States/Competitor,” a high risk of beingattacked by “Nation States/Disruption, Destruction,” and a high risk ofbeing attacked by “Disgruntled Employees.” Moreover, upon selection ofeach of the “Aircraft,” “Amusement Parks,” and Hotels” industries (andno others), the inherent risk assessment can determine the organizationhas a high risk of being attacked by “Organized Crime,” a medium risk ofbeing attacked by “Hacktivists,” a high risk of being attacked by“Nation States/Competitor,” a high risk of being attacked by “NationStates/Disruption, Destruction,” and a high risk of being attacked by“Disgruntled Employees.”

Referring now to FIGS. 6 and 7, exemplary portions of look-up tables forquestions relating to an organization's headquarters and presencecountries are illustrated. The organization's headquarters can refer toa country in which the organization is legally domiciled and/or based.The organization's presence can refer to a country in which theorganization performs a significant aggregation of key corporationoperations or infrastructure, such as data centers, productionfacilities, research and devolvement, and a large employee base.

As such, FIG. 6 provides an exemplary portion 123 of a look-up tablecomprising each possible country for an organization headquarters a usermay select and a preliminary risk rating relating to a possible increasein the likelihood of being attacked by each of threat actors 117 a-e ineach headquarter country. FIG. 7 provides an exemplary portion 124 of alook-up table comprising each possible country for an organization'spresence a user may select and a preliminary risk rating relating to apossible increase in the likelihood of being attacked by each of threatactors 117 a-e in each presence country. As such, the look-up table ofFIG. 6 and the look-up table of FIG. 7 can each increase the preliminaryrisk rating describe above in relation to FIG. 5. Moreover, like FIG. 5,the threat actors 117 a-e of FIGS. 6 and 7 are “Organized Crime,”“Hacktivists,” “Nation States/Competitor,” “Nation States/Disruption,Destruction,” and “Disgruntled Employee.” However, the preliminary riskrating of being attacked by the threat actors 117 a-e of FIGS. 6 and 7can comprise a plurality of threat levels different or the same as thoseutilized in FIG. 5. For example, the threat levels can comprise 0 (noincrease in risk rating), 1 (some increase in risk rating), or 2 (largeincrease in risk rating).

Upon selection of multiple countries for the organization's headquartersand/or presence, the inherent risk assessment can select the highestrating for each threat actor 117 a-e. For example, as illustrated inFIG. 7, Switzerland has a threat level of “0” for “Organized Crime,” athreat level of “1” for “Hacktivists,” a threat level of “2” for “NationStates Competitor,” a threat level of “0” for “Nation States/Disruption,Destruction,” and a threat level of “0” for “Disgruntled Employee.”Whereas, the country of Norway has a threat level of “0” for “OrganizedCrime,” a threat level of “0” for “Hacktivists,” a threat level of “2”for “Nation States/Competitor,” a threat level of “1” for “NationStates/Disruption, Destruction,” and a threat level of “0” for“Disgruntled Employee.” Moreover, the country of Qatar has a threatlevel of “1” for “Organized Crime,” a threat level of “1” for“Hacktivists,” a threat level of “1” for “Nation States/Competitor,” athreat level of “0” for “Nation States/Disruption, Destruction,” and athreat level of “1” for “Disgruntled Employee.”

As such, upon selection of both the “Switzerland” and “Norway” for theorganization's presence (and no others), the inherent risk assessmentcan determine the organization has a threat level of “0” for “OrganizedCrime,” a threat level of “1” for “Hacktivists,” a threat level of “2”for “Nation States/Competitor,” a threat level of “1” for “NationStates/Disruption, Destruction,” and a threat level of “0” for“Disgruntled Employee.” Moreover, upon selection of each of“Switzerland,” “Norway,” and “Qatar” for the organization's presence(and no others), the inherent risk assessment can define theorganization has a threat level of “1” for “Organized Crime,” a threatlevel of “1” for “Hacktivists,” a threat level of “2” for “NationStates/Competitor,” a threat level of “1” for “Nation States/Disruption,Destruction,” and a threat level of “1” for “Disgruntled Employee.”

Therefore, to determine a cumulative risk rating for one or more threatactors 117 a-e, a cumulative look-up table may be used. Referring now toFIG. 8, an exemplary portion 125 of a cumulative look-up table isprovided. The cumulative look-up table can comprise an exhaustive listof scenarios representing each possible combination of outcomes from aplurality of preliminary look-up tables 122-124 and a preliminary riskrating 126 for each possible combination of outcomes from preliminarylook-up tables 122-124. The preliminary risk rating 126 can refer to therisk of being attacked by the threat actors 117 a-e (illustrated inFIGS. 5-7). As such, the cumulative risk can comprise a plurality ofthreat levels that are different or the same as those utilized in FIGS.5-7. For example, the threat levels can be “Very High,” “High,”“Medium,” “Low,” and “Very Low” (“VH,” “H,” “M,” “L,” and “VL,”respectively). As stated above, the different threat levels canrepresent the relative likelihood of being attacked by each of thethreat actors 117 a-e (illustrated in FIGS. 5-7).

Accordingly, the scenarios can represent each possible combination ofoutcomes from questions relating to the organization's industries aswell as their headquarters and presence in countries. Along these lines,the scenarios can be utilized to determine the preliminary risk rating126 for each of the threat actors 117 a-e (illustrated in FIGS. 5-7)based on the questions. As such, for example, if the outcomes frompreliminary look-up tables 122-124 for “Organized Crime” 117 a(illustrated in FIGS. 5-7) is “Medium,” “1,” and “0,” respectively,scenario #1 would call for the cumulative risk rating to be “Medium.”Alternatively, if the outcomes from preliminary look-up tables 122-124for “Hacktivists” 117 b (illustrated in FIGS. 5-7) is “Low,” “2,” and“0,” respectively, scenario #4 would call for the cumulative risk ratingto be “Low.”

Referring back to FIG. 3, as stated previously, based on receivinganswers to questions provided to a user, the inherent risk assessment114 can determine the cumulative risk ratings 118 a-e for each of thethreat actors 117 a-e. Thereafter, based on the risk ratings 118 a-e ofthe threat actors 117 a-e, the inherent risk assessment 114 candetermine the risk ratings 112 a-c for each of the threat vectors 110a-c. The risk ratings 112 a-c for each of the threat vectors 110 a-c canbe based on a likelihood of the threat actors 117 a-e employing thethreat vectors 110 a-c, and optionally, a legal regime of one or morecountries which the organization is present, which will be described inmore detail below.

To determine the likelihood of the threat actors 117 a-e employing thethreat vectors 110 a-c, a threat look-up table can be utilized.Referring now to FIG. 9, an exemplary threat look-up table 127 isprovided. The threat look-up table 127 can comprise a likelihood thateach of the threat actors 117 a-e employ each of the threat vectors 110a-c. The likelihood can be one of a plurality of levels, such as “1,”“2,” and “3” As such, the level of likelihood can refer to whether thethreat actors 117 a-e are likely to utilize the threat vectors 110 a-cas a primary method, secondary method, or tertiary method. For example,as illustrated, the threat actor 117 a—“Organized Crime”—utilizes thethreat vector 110 a-4—“DoS/DDoS”—as a tertiary method and, thus, isassigned the level “3.” The threat actor 117 b—“Hacktivists”—utilizesthe threat vector 110 a-4—“DoS/DDoS”—as a primary method and, thus, isassigned the level “1.” The threat actor 117 c—“NationStates/Competitor”—utilizes the threat vector 110 a-4—“DoS/DDoS”—as atertiary method and, thus, is assigned the level “3.” The threat actor117 d—“Nation States/Disruption, Destruction”—utilizes the threat vector110 a-4—“DoS/DDoS”—as a primary method and, thus, is assigned the level“1.” The threat actor 117 e—“Disgruntled Employee”—utilizes the threatvector 110 a-4—“DoS/DDoS”—as a primary method and, thus, is assigned thelevel “1.”

As such, the likelihood of the threat actors 117 a-e utilizing thethreat vector “DoS/DDoS” can provide a discount to the risk rating 118a-e (illustrated in FIG. 3) of the threat actors 117 a-e. The discountcan refer to a decrease in the preliminary risk rating of the threatactors 117 a-c. The amount of the decrease can correspond to the levelof likelihood of the threat actors 117 a-e employing the threat vectors110 a-c. For example, the level “3” can decrease preliminary risk ratingtwo levels, the level “2” can decrease the preliminary risk rating onelevel, and the level “1” cannot decrease the preliminary risk rating.

Upon acquiring the likelihood of the threat actors 117 a-e employing aparticular one of the threat vectors 110 a-c, the inherent riskassessment 114 (illustrated in FIG. 3) can determine a risk rating forone of the threat vector 110 a-c (depicted in FIG. 3). Referring now toFIG. 10, an exemplary method to determine a risk rating 112 a-4 for aparticular threat vector 110 a-4 is depicted. The inherent riskassessment can correlate the cumulative risk ratings 118 a-e of thethreat actors 117 a-e to a likelihood 128 a-e of the threat actors 117a-e employing the threat vector 110 a-4. In doing so, the inherent riskassessment can determine if any of the cumulative risk ratings 118 a-eof the threat actors 117 a-e should be discounted for the threat actor110 a-4, as discussed previously. Thereafter, the inherent riskassessment can provide an ultimate risk rating 130 a-e for the threatactors 117 a-e that is based on a likelihood 128 of the threat actors117 a-e employing the threat vectors 110 a-c.

For example, as illustrated, the threat actor 117 a—“OrganizedCrime”—can have cumulative risk rating 118 a—“Very High”—and level oflikelihood 128 a—“3”—for utilizing the threat vector 110 a-4—“DoS/DDoS,”the threat actor 117 b—“Hacktivists”—can have cumulative risk rating 118b—“Medium”—and level of likelihood 128 b—“1”—for utilizing the threatvector 110 a-4—“DoS/DDoS,” the threat actor 117 c—“NationStates/Competitor”—can have cumulative risk rating of 118 c—“High”—andlevel of likelihood 128 c—“3”—for utilizing the threat vector 110a-4—“DoS/DDoS,” the threat actor 117 c—“Nation States/Disruption,Destruction”—can have cumulative risk rating of 118 d—“Medium”—and levelof likelihood 128 d—“1”—for utilizing the threat vector 110a-4—“DoS/DDoS,” and the threat actor 117 e—“Disgruntled Employee”—canhave cumulative risk rating 118 e—“Medium” —and a level of likelihood128 e—“1”—for utilizing the threat vector 110 a-4—“DoS/DDoS.”

As such, the cumulative risk rating 118 a for the threat actor 117a—“Organized Crime”—can decrease 2 levels, and the ultimate risk rating130 a for the threat actor 117 a—“Organized Crime”—can be “Medium.” Thecumulative risk rating 118 b for the threat actor 117b—“Hacktivists”—can remain the same, and the ultimate risk rating 130 bfor the threat actor 117 b—“Hacktivists”—can be “Medium.” The cumulativerisk rating 118 b for the threat actor 117 c—“NationStates/Competitor”—can decrease 2 levels, and the ultimate risk rating130 c for the threat actor 117 c—“Nation States/Competitor” can be“Low.” The cumulative risk rating 118 d of the threat actor 117d—“Nation States/Disruption, Destruction”—can remain the same, and theultimate risk rating 130 d for the threat actor 117 d—“NationStates/Disruption, Destruction”—can be “Medium.” The cumulative riskrating 118 e of the threat actor 117 e—“Disgruntled Employee”—candecrease 2 levels, and the ultimate risk rating 130 d for the threatactor 117 e—“Disgruntled Employee”—can be “Medium.”

Therefore, upon determining the ultimate risk ratings 130 a-e for thethreat actors 117 a-e, a risk rating 112 a-4 for the threat vector 110a-4 can be determined. The risk rating 112 a-4 for the threat vector 110a-4 can be the worst of the ultimate risk ratings 130 a-e. For example,as illustrated and stated previously, the ultimate risk rating 130 a forthe threat vector 117 a—“Organized Crime”—to use the threat vector 110a-4—“DoS/DDoS”—can be “Medium,” the ultimate risk rating 130 b for thethreat vector 117 a—“Hacktivists”—to use the threat vector 110a-4—“DoS/DDoS”—can be “Medium,” the ultimate risk rating 130 c for thethreat vector 117 c—“Nation States/Competitor”—to use the threat vector110 a-4—“DoS/DDoS”—can be “Low,” the ultimate risk rating 130 d for thethreat actor 117 d—“Nation States/Disruption, Destruction”—to use thethreat vector 110 a-4—“DoS/DDoS”—can be “Medium,” and the ultimate riskrating 130 e for the threat actor 117 e—“Disgruntled Employee”—to usethe threat vector 110 a-4—“DoS/DDoS”—can be “Medium.” As such, the riskrating 112 a-4 for the threat vector 110 a-4—“DoS/DDoS” can be “Medium.”

Referring back to FIG. 3, the inherent risk assessment 114 can determinethe risk ratings 112 a-c for each of the threat vectors 110 a-c based onthe processes described in FIGS. 9 and 10. Moreover, the inherent riskassessment 114 can adjust the risk ratings 112 a-c of one or more of thethreat vectors 110 a-c based on a legal regime of the organization'spresence countries in governing the threat vectors 110 a-c. “Legalregime” can refer to legal consideration affecting the user ofcyber-attack methods, such as the ability of a host country to seizedata/systems without recourse or due process, or laws prohibiting theuse of encryption technology or preventing cloud storage or computing.According to an embodiment, the inherent risk assessment 114 can onlyalter the risk ratings for only the threat vector 110 b-1—“User ofInsider Employee”—and threat vector 110 b-2—“Via Trusted Third PartyProvider/Vendor.”

To determine if the risk rating for one of the treat types 110 a-cshould be modified based on the legal regime in the organization'spresence countries, the inherent risk assessment 114 can utilize aseparate look-up table than those previously discussed. Referring now toFIG. 11, a portion 131 of the look-up table is provided. The look-uptable can comprise each possible country the organization is present anda legal regime rating 132 relating to the legal regime in each countryis provided. The legal regime rating 132 can comprise one of a pluralityof levels that are different or the same as those utilized in FIGS. 5-7.For example, the levels can comprise 0, 1, or 2. The levels can relateto a strength of the legal regime of the country in protecting theorganization from cyber risks. As such, the higher the legal regimerating the weaker the strength of the legal regime of the country.According to an embodiment, the level “0” can refer to a country havinga strong legal regime, the level “1” can refer to a country having amoderate legal regime, and the level “2” can refer to a country having aweak legal regime. Therefore, the legal regime rating of “0” does notincrease the risk ratings 112 a-c of the treat types 110 a-c, and thelegal regime rating of “1” or “2” increases the risk ratings 112 a-c ofthe threat vectors 110 a-c by a single risk rating (e.g., “Medium” to“High”).

Consequently, upon the organization being present in multiple countrieshaving different legal regime ratings, the inherent risk assessment canutilize the legal regime rating having the highest level (i.e., theweakest legal regime). For example, as illustrated, although theorganization is present in “Germany” and “United States,” the inherentrisk assessment may only utilize the legal regime rating for the “UnitedStates.” In doing so, the inherent risk process can increase the riskrating of “the threat vector 110 b-2—Use of Insider Employee—from “High”to “Very High.”

Referring back to FIG. 2, upon determining the risk ratings 112 a-c foreach of the threat vectors 110 a-c, the inherent risk assessment 114(illustrated in FIG. 3) can determine the risk ratings 113 a-c for eachof the threat origins 111 a-c. To do so, in one embodiment, the riskratings 113 a-c of the threat origins 111 a-c can be an average of therisk ratings 112 a-c for the threat vectors 110 a-c. As such, one ormore of the risk ratings 112 a-c of the threat vectors 110 a-c can beweighted. In another embodiment, one or more look-up tables eachrelating to one of threat origins 111 a-c can be utilized to determinethe risk ratings 113 a-c of the threat origins 111 a-c.

Referring now to FIGS. 12-14 exemplary portions of look-up tables todetermine the risk ratings 113 a-c of the threat origins 111 a-c isprovided. Each of the look-up tables can comprises each possiblecombination of outcomes for the threat vectors of the threat origin anda risk rating for each possible combination of outcomes. For instance,FIG. 12 illustrates an exemplary portion of a look-up table to determinethreat origin 111 a—“Attack from Outside”—and comprises each possiblecombination of outcomes for the threat vectors 110 a of the threatorigin 111 a and a risk rating for each possible combination ofoutcomes. Furthermore, FIG. 13 depicts an exemplary portion of a look-uptable to determine the threat origin 111 b—“Use of Insiders”—andcomprises each possible combination of outcomes for the threat vectors110 b of the threat origin 111 b and a risk rating for each possiblecombination of outcomes. Moreover, FIG. 14 provides an exemplary portionof a look-up table to determine the threat origin 111 c—“Use of PhysicalAccess”—and comprises each possible combination of outcomes for thethreat vectors 110 c of the threat origin 111 c and a risk rating foreach possible combination of outcomes.

As such, the look-up tables of FIGS. 12 and 13 can implement a set ofrules to determine the risk ratings 113 a, b of the threat vectors 110a, b. Specifically, the set of rules can comprise using the se secondhighest (worst) risk rating of the threat vectors, unless one of therisk ratings of the threat vector is lower (better) than another one ofthe risk rating of the threat vector by at least two risk ratings. Ifone of the risk ratings of the threat vector is lower (better) thananother one of the risk rating of the threat vector by at least two riskratings, the highest risk rating lowered by one risk rating is selected.For example, as illustrated in FIG. 12, when the threat vectors“DoS/DDoS,” “Hacking,” “Botnets,” and “Malware/Ransomware” have riskratings of “Low,” “Low,” “Medium,” and “High,” respectively, the riskrating for threat origin “Attack from Outside” is “Medium.” Moreover, asalso illustrated in FIG. 12, when the threat vectors “DoS/DDoS,”“Hacking,” “Botnets,” and “Malware/Ransomware” have risk ratings of“Low,” “Medium,” “Low,” and “Very High,” respectively, the risk ratingfor threat origin “Attack from Outside” is “High.”

Referring back to FIG. 2, to determine the cyber preparedness profile106, a cyber-risk assessment may be used. Referring now to FIG. 15, anexemplary cyber preparedness assessment 133 is provided. The cyberpreparedness assessment 133 can comprise a plurality of questions 115.As stated previously, the questions can be presented to a user in aplurality of categories. According to an embodiment, the questions arepresented to a user in one or more of the “Program Governance andOversight,” “Identify,” “Protect,” “Detect,” “Respond,” and “Recover”categories 121 a-f. The answers to these questions can be used in thecyber preparedness assessment 133. According to another embodiment, thecyber-risk assessment can comprise 20 to 200 questions. According to yetanother embodiment, the cyber-risk assessment can comprise 50 to 150questions. According to yet a further embodiment, the cyber-riskassessment can comprise approximately 100 questions.

Referring now to FIG. 16, an exemplary user interface 134 related toquestions presented in one or more categories 121 a-f comprisingquestions used in the cyber preparedness assessment 133 (illustrated inFIG. 15) is depicted (the questions in category 121 g are used in thepreviously described inherent risk assessment). The user interface 134comprises a plurality of questions and one or more predefined answersfor selection by a user. Upon selection of one or more answers, apreliminary strength rating 135 a-d relating to each question can bedetermined. The preliminary strength ratings 135 a-d of the question canrefer to a likelihood of protecting one or more organizational resourcesfrom one or more cyber-attacks, and can comprise a plurality of levels.For instance, the preliminary strength rating 135 a-d can be “Better,”“Good,” “Acceptable,” “Deficient,” or “TBD.” Although illustrated inFIG. 16, the user interface 134 can be configured to not include thepreliminary strength ratings 135 a-e. Along these lines, the questionscan each correspond to a recommendation for receiving an optimalpreliminary strength rating (e.g., “Better” or “Good”), educationalinformation relating to the importance of the question, and/or one ormore risks associated with not receiving the optimal preliminarystrength rating; each of which may or may not be presented on the userinterface 134.

Referring now to FIGS. 17A-F, a plurality of objective questions for the“Program Governance and Oversight” category 121 a is depicted. Asdiscussed above, one or more questions 135 a, 136 a, 138 a-155 a canhave one or more predefined answers for a user to select. The questionscan be answered, for example, using drop down menus, radio buttons,check boxes, or the like. Although some questions 135 a, 136 a, 138 a,139 a, and 141 a-155 a having one or more predefined answers can be usedin the cyber-risk assessment, other questions 140 a having one or morepredefined answers can be for informational purposes only and not usedin the cyber-risk assessment. Moreover, one or more questions 137 a canprompt a free-form answer and, thus, be for only informational purposes137 b and not used in the cyber-risk assessment. As such, one or morequestions having one or more pre-defined answers can each be associatedwith a look-up table 135 b, 136 b, 138 b-155 b. The look-up table 135 b,136 b, 138 b-155 b can comprise each possible answer or combination ofanswers a user may select for the question and a preliminary strengthrating. The preliminary strength rating can be one of a plurality ofstrength levels and, thus, can be the same or different for each of thelook-up tables 135 b, 136 b, 138 b-155 b. According to an embodiment, asillustrated for question (1), if the user indicates the organizationuses more than one information security standard, the preliminarystrength rating is “Good.” According to another embodiment, asillustrated for question (8), if the user indicates “5-10%” or “10-15%”of the overall Information Technology budget is dedicated to cybersecurity, the preliminary strength rating is “Average.”

Referring back to FIG. 15, one or more questions 115 from one or morecategories 121 a-f can correspond to one or more evaluation categories108 a-d. As such, the strength rating of each of the evaluationcategories 108 a-d can be based on one or more questions 115. Todetermine the strength rating of the evaluation categories 108 a-d, adata structure can be implemented.

As to evaluation category 108 e (not illustrated), a user can assess oneor more physical locations of the organization to determine if thelocation meets one or more predetermined capabilities relating todeterring one or more physical acts that may result in a cyber-attack.The assessment can be performed manually by the user, and can beinputted into the computer. The results of the assessment can provide astrength rating of the evaluation category 108 e. As such, the resultscan be determined by the user and inputted into the computer, or candetermined by the computer. Along these lines, the results can bedetermined by the computer using a look-up table.

Referring now to FIG. 18, an exemplary data structure 156 fordetermining a strength rating of organizational safeguard 108 a-d(illustrated in FIG. 15) is provided. The data structure 156 cancomprise a plurality of levels that each comprise one or moreindependent or dependent nodes. The independent nodes can correspond toa question from one of the categories 121 a-f (depicted in FIG. 15).Along these lines, the independent nodes of the data structure cancomprise questions belonging the same or different categories 121 a-f(depicted in FIG. 15).

As such, the data structure 156 can comprise a first level node 157 thatcorresponds to an organizational safeguard (i.e., Governance andOversight). The root node 157 can depend on one or more second levelnodes 158-160. The second level nodes 158-160 can correspond to one ormore internal processes of the organization to deter a cyber-attack. Asillustrated, the second level nodes 158-160 can each be internal nodesand depend on a plurality of third level nodes. Alternatively, althoughnot illustrated, the second level nodes 158-160 can be external nodesand each correspond to a question of one or more categories 121 a-f(depicted in FIG. 15).

As such, the third level nodes 161-168 can be internal nodes or externalnodes. The third level, external nodes 161, 162, 164-168 can eachcorrespond to a question of the same category of upper echelon nodes.For example, as illustrated, node 161 corresponds to question 13, node162 corresponds to question 13 a, node 164 corresponds to question 10,node 165 corresponds to question 11, node 166 corresponds to question12, node 167 corresponds to question 4, and node 168 corresponds toquestion 6.

Moreover, the third level, internal node 163 can depend on a pluralityof fourth level nodes 169-173. The fourth level nodes 169-173 can eachbe internal nodes or external nodes. The fourth level, external nodes169-173 can each correspond to a question. For example, as illustrated,node 169 corresponds to question 13 b, node 170 corresponds to question13 c, node 171 corresponds to 13 e, and node 172 corresponds to question13 d. The fourth level, internal node 173 can depend on a plurality offifth level, external nodes 174, 175, each of which can correspond to aquestion of the same category as upper echelon nodes. For example, asillustrated, node 174 corresponds to question 13 f, and node 175corresponds to question 13 g.

Along these lines, the questions corresponding to the nodes can bepresented to a user in different categories 121 a-f (depicted in FIG.15). As such, although not illustrated, questions from category 121a—“Program Governance and Oversight”—and category 121d—“Detect”—(illustrated in FIG. 15) can correspond to the organizationalsafeguard 108 c—“Governance & Oversight” (shown in FIG. 2). In doing so,the cyber preparedness assessment can correlate a question from category121 a—“Program Governance and Oversight”—and category 121d—“Detect”—(illustrated in FIG. 15) to nodes of a data structure for theorganizational safeguard 108 c—“Governance & Oversight” (shown in FIG.2).

To determine a strength factor of the organizational safeguard (i.e.,Governance and Oversight), external nodes utilize the look-up tables ofthe questions associated therewith, as discussed in detail above.Moreover, internal nodes each utilize a look-up table comprising eachpossible outcome or combination of preliminary strength ratings for thequestion(s) corresponding to external, child nodes and a cumulativestrength rating for each possible combination of preliminary strengthratings. The cumulative strength rating can comprise a plurality oflevels that are the same or different than the levels of the preliminarystrength ratings relating to at least one of the questions.

As such, still referring to FIG. 18, the root node 157 (i.e., Governanceand Oversight) can utilize a look-up table comprising each possiblecombination of strength ratings of questions corresponding to the secondlevel, internal nodes 158-160 and a cumulative strength rating for eachpossible combination of strength ratings. The second level, internalnodes 158-160 can each utilize a look-up table comprising each possiblecombination of strength ratings of questions corresponding to thirdlevel, external nodes 161, 162, 164-168, and optionally a third level,internal node 163, and a cumulative strength rating for each possiblecombination of strength ratings. The third level, internal node 163 canutilize a look-up table comprising each possible combination of strengthratings of questions corresponding to fourth level, external nodes169-172, and optionally a fourth level, internal node 173, and acumulative strength rating for each possible combination of strengthratings. The fourth level, internal node 173 can utilize a look-up tablecomprising each possible combination of strength ratings of questionscorresponding to fifth level, external nodes 174, 175 and a cumulativestrength rating for each possible combination of strength ratings.

Upon performing an inherent risk assessment 114 (illustrated in FIG. 3)and a cyber preparedness assessment 133 (illustrated in FIG. 15), acyber readiness profile is provided to a user. Referring now to FIG. 19,another exemplary cyber readiness profile 105 of the organization isillustrated. The cyber readiness profile 105 comprises an inherent riskprofile 107 of the organization from one or more cyber-attack, and acyber preparedness profile 106 of the organization against thecyber-attacks. As stated previously, the cyber preparedness profile 106comprises one or more evaluation categories 108 a-e and a strengthrating 109 a-e for each of the evaluation categories 108 a-e, and theinherent risk profile 107 can comprise one or more threat origins 111a-c and a risk rating 113 a-c for each of the threat origins 111 a-c.

Along these lines, the cyber readiness profile 105 can compare thestrength ratings 109 a-e of the evaluation categories 108 a-e to therisk ratings 113 a-c of the threat types 110 a-c. In doing so, the cyberreadiness profile 105 can present one or more relationships 176 a-ebetween one or more organizational safeguards 108 a-e and one or morethreat origins 111 a-c. The relationships 176 a-e between theorganizational safeguards 108 a-e and the threat origins 111 a-c candepend on one or more attack types of the threat origins 111 a-c foremploying a cyber-attack, and on one or more defense mechanisms of theorganizational safeguards 108 a-e in defending against the attack type.As such, for there to be a relationship between one or more threatorigins 111 a-c and one or more one or more organizational safeguards108 a-e, the defense mechanism of the organizational safeguards 108 a-emay have to be configured to defend against the attack employed by thethreat origins 111 a-c.

According to an embodiment, the cyber readiness profile 105 can presenta relationship 176 a-c between one of the evaluation categories 108 a-cand one of the threat origins 111 a-c. For instance, the threat origin111 a—“Attack from Outside”—can comprise an attack through the internet(such as hacking), and the organizational safeguard 108 a—“CybersecurityFramework”—can comprise one or more defense mechanisms to defend againstsuch a cyber-attack. Therefore, the cyber readiness profile 105 canpresent the relationship 176 a between the organizational safeguards 108a—“Cybersecurity Framework”—and the threat origin 111 a—“Attack fromOutside.” Moreover, the threat origin 111 b—“Use Insiders”—can comprisean attack involving legitimate access given to an individual inside, orrelated to, the organization, and the organizational safeguard 108b—“Insider Threat Management”—can comprise one or more defensemechanisms to defend against access given to such an individual.Accordingly, the cyber readiness profile 105 can present therelationship 176 b between the organizational safeguard 108 b—“InsiderThreat Management”—and the threat origin 111 b—“Use Insiders.”Furthermore, the threat origin 111 c—“Use of Physical Access”—can employan attack through an individual outside of an organization who acquiresunauthorized access to an organizational resource by gaining access tothe organization's physical facilities or property, and theorganizational safeguard 108 c—“Physical Security”—can comprises one ormore defense mechanisms to ensure protection against such an individual.Therefore, the cyber readiness profile 105 can present the relationship176 c between the organizational safeguards 108 c—“PhysicalSecurity”—and the threat origin 111 c—“Use of Physical Access.”

According to another embodiment, the cyber readiness profile 105 canpresent a relationship 176 d-e between one of the evaluation safeguards108 d-e and a plurality of the threat origins 111 a-c. To do so, theevaluation safeguards 108 d-e can have generic capabilities and, thus,correspond to a plurality of threat origins 111 a-c. Specifically, theevaluation safeguard 108 d—“Governance and Oversight”—can be directed toassessing corporate culture for protecting against a likelihood of anoccurrence of an attack by the threat origins 111 a-c. Moreover, theevaluation category 108 e—“Incident Response & DR Capabilities” can bedirected to assessing readiness of an organization in responding to anattack by the threat origins 111 a-c. As such, the cyber readinessprofile 105 can present a relationship 176 d between the organizationalsafeguards 108 d—“Governance and Oversight”—and the threat origin 111a-c—“Attack from Outside,” “Use of Insiders,” and “Use of PhysicalAccess.” Along these lines, the cyber readiness profile 105 can presenta relationship 176 e between the organizational safeguards 108e—“Incident Response & DR Capabilities”—and the threat origin 111a-c—“Attack from Outside,” “Use of Insiders,” and “Use of PhysicalAccess.”

By doing so, the relationships 176 a-e can illustrate a cyber readinessof each of the evaluation categories 108 a-e against each of the threatorigins 111 a-c. To illustrate the extent of cyber readiness of theorganization, the relationships 176 a-e can comprise a plurality ofdegrees. The degrees can be presented to a user in the form of textand/or color. According to an embodiment, the degrees can be presentedto a user as “Severe Gap,” “Possible Concern,” “OK,” and “N/A.”According to another embodiment, the relationships 176 a-e can bepresented to a user as green, yellow, red, or gray. The color green canrepresent “OK,” the color yellow can represent “Possible Concern,” thecolor red can represent “Severe Gap,” and the color gray can represent“N/A.”

Moreover, to determine the relationships 176 a-e between theorganizational safeguards 108 a-e and the threat origins 111 a-c, one ormore look-up tables can be utilized. Referring now to FIG. 20, anexemplary look-up table 177 to determine the relationships 176 a-cbetween the organizational safeguards 108 a-c and the threat origins 111a-c is depicted. The look-up table 177 can comprise a relationship foreach possible combination of strength ratings 178 a-d and risk ratings179 a-e. As such, referring back to FIG. 19, the cyber readiness profile105 can utilize that the look-up table 177 (illustrated in FIG. 20) todetermine the relationship 176 a—“Severe Gap”—between the risk rating113 a—“Medium”—of threat origin 111 a—“Attack from Outside”—and thestrength rating 109 a—“Deficient”—of the evaluation category 108a—“Cybersecurity Framework,” the relationship 176 b—“Severe Gap”—betweenthe risk rating 113 b—“Medium”—of threat origin 111 b—“Use of Insiders”and the strength rating 109 b—“Deficient”—of the evaluation category 108b—“Insider Threat Management,” and the relationship 176 c—“N/A”—betweenthe risk rating 113 c—“Medium”—of threat origin 111 c—“Use of PhysicalAccess”—and the strength rating 109 c—“TBD”—of the evaluation category108 c—“Physical security.”

Referring now to FIG. 21, an exemplary look-up table 194 to determinethe relationships 176 d-e between the organizational safeguards 108 d-eand the threat origins 111 a-c is depicted. The look-up table 194 cancomprise a relationship for each possible combination of strengthratings 178 a-c and risk ratings 179 a-e. As such, referring back toFIG. 19, the cyber readiness profile 105 can utilize that the look-uptable 194 (illustrated in FIG. 21) to determine the relationship 176d—“Possible Concern”—between the risk ratings 113 a-c—“Medium”—of threatorigins 111 a-c—“Attack from Outside,” “Use of Insiders,” and “Use ofPhysical Access—and the strength rating 109 d—“Acceptable”—of theevaluation category 108 d—“Governance and Oversight.” Along these lines,the cyber readiness profile 105 can utilize that the look-up table 194(illustrated in FIG. 21) to determine and the relationship 176 e—“SevereGap”—between the risk ratings 113 a-c—“Medium”—of threat origins 111a-c—“Attack from Outside,” “Use of Insiders,” and “Use of PhysicalAccess—and the strength rating 109 e—“Deficient”—of the evaluationcategory 108 e—“Incident Response & DR Capabilities.”

Referring now to FIG. 22, an exemplary method for evaluating a cyberreadiness of an organization is provided. First, at block 180, aplurality of questions are presented to a user at a computer. Some orall of the questions have one or more predefined answers to be selectedby the user. Thereafter, at block 181, a plurality of answers to thequestions are received from the user by the computer. Based on theanswers, at block 182, a risk rating for a threat origin of acyber-attack from one or more threat actors and/or threat vectors isused to an inherent risk profile at the computer. At block 183, astrength rating for one or more organizational safeguards againstcyber-attack is used to determine a cyber preparedness profile at thecomputer. Subsequently, at block 184, the inherent risk profile of thethreat origin is compared to the cyber preparedness profile of theorganization and, at block 185, a cyber readiness of the organizationfrom the cyber-attack by each threat origin is determined. Lastly, atblock 186, the cyber readiness of the organizational safeguard isdisplayed. Each of the aforementioned steps can be performed inaccordance with embodiments of the invention as described above.

Referring now to FIG. 23, a schematic diagram of an exemplary server 187that may be utilized in accordance with the present invention isillustrated. The exemplary server 187 includes a communication device188, a processor 189, and a data storage or memory component 190. Theprocessor 189 is in communication with both the communication device 188and the memory component 190. The communication device 188 may beconfigured to communicate information via a communication channel, wiredor wireless, to electronically transmit and receive digital data relatedto the functions discussed herein. The communication device 188 may alsobe used to communicate, for example, with one or more human readabledisplay devices, such as, an LCD panel, an LED display or other displaydevice or printer. The memory component 190 may comprise any appropriateinformation storage device, including combinations of magnetic storagedevices (e.g., magnetic tape, radio frequency tags, and hard diskdrives), optical storage devices, computer readable media, and/orsemiconductor memory devices such as Random Access Memory (RAM) devicesand Read-Only Memory (ROM) devices. The memory component 190 may storethe program 191 for controlling the processor 189. The processor 189performs instructions of the program 191, and thereby operates inaccordance with the present invention.

The memory component 190 may also store and send all or some of theinformation sent to the processor 189 in a plurality of modules 192,193. As such, the module 192, 193 may each contain a look-up table, asdiscussed above. This can improve the logic and processing speed of theserver 187 in analyzing cyber readiness of an organization, as well asreduce the required computing power by the server 187 to do so.

Communication device 188 may include an input device including anymechanism or combination of mechanisms that permit an operator to inputinformation to communication device 188, such as a keyboard, a mouse, atouch sensitive display device, a microphone, a pen-based pointingdevice, a biometric input device, and/or a voice recognition device.Communication device 178 may include an output device that can includeany mechanism or combination of mechanisms that outputs information tothe operator, including a display, a printer, a speaker, etc.

From the foregoing description, one skilled in the art can readilyascertain the essential characteristics of the invention, and withoutdeparting from the spirit and scope thereof, can make changes andmodifications of the invention to adapt it to various conditions and toutilize the present invention to its fullest extent. The specificembodiments described here are to be construed as merely illustrative,and not limiting of the scope of the invention in any way whatsoever.Moreover, features described in connection with one embodiment of theinvention may be used in conjunction with other embodiments, even if notexplicitly stated above.

We claim:
 1. A method for evaluating cyber readiness of an organization,the method comprising: presenting, by a computer, a plurality ofobjective questions to a user, wherein each of the objective questionshas one or more predefined answers to be selected by said user;receiving, by said computer, answers to said plurality of objectivequestions from said user; determining based on said answers, by saidcomputer, a risk rating for a threat origin of a cyber-attack;determining based on said answers, by said computer, a strength ratingfor an organizational safeguard against said threat origin; comparing,by said computer, said risk rating of said threat origin to saidstrength rating of said organizational safeguard; determining based onsaid comparison, by said computer, a cyber readiness rating of saidorganizational safeguard from said cyber-attack by said threat origin;and presenting, by said computer, the cyber readiness rating of saidorganizational safeguard.
 2. The method of claim 1, wherein presentingthe cyber readiness rating of said organization comprises: presenting,by said computer, said threat origin and said risk rating of said threatorigin; and presenting, by said computer, said organizational safeguardand said strength rating of said organization safeguard.
 3. The methodof claim 2, additionally comprising: identifying, by said computer, arelationship between said risk rating of said threat origin and saidstrength rating of said organizational safeguard.
 4. The method of claim3, wherein said cyber readiness rating of said organizational safeguardfrom said cyber-attack by said threat origin comprises one of aplurality of levels, the levels being severe gap, possible concern, andokay.
 5. The method of claim 1, wherein said risk rating of said threatorigin is determined independent from said strength rating of saidorganizational safeguard.
 6. The method of claim 1, wherein determiningsaid risk rating of said threat origin comprises: determining based onsaid answers, by said computer, a plurality of threat vectors, whereinthe threat vectors correspond to the threat origin; and determiningbased on said answers, by said computer, a risk rating for each of saidthreat vectors.
 7. The method of claim 6, wherein determining said riskrating of said threat origin further comprises: determining based onsaid risk rating for each of said threat vectors, by said computer, acumulative risk rating of said threat origin.
 8. The method of claim 1,additionally comprising: correlating, by said computer, one or more ofsaid objective questions to a plurality of elements of saidorganizational safeguard, wherein said elements collectively determinesaid strength rating of said organizational safeguard.
 9. The method ofclaim 8, wherein determining of said strength rating of saidorganizational safeguard comprises: determining, by said computer, astrength rating for a first element of said organizational safeguardbased on at least one of said answers; and determining, by saidcomputer, a strength rating for a second element of said organizationalsafeguard based on at least one of said answers.
 10. The method of claim9, wherein determining of said strength rating of said first elementcomprises: determining, by said computer, a strength rating for a thirdelement of said organizational safeguard based on said strength ratingof said first element and said strength rating of said second element.11. The method of claim 10, wherein determining said strength rating ofsaid organizational safeguard additionally comprises: determining, bysaid computer, a strength rating for a fourth element of saidorganizational safeguard based on at least one of said answers; anddetermining, by said computer, a strength rating for a fifth element ofsaid organizational safeguard based on said strength rating of saidthird element and said strength rating of said fourth element.
 12. Themethod of claim 11, wherein said strength rating for said first element,said strength rating for said second element, said strength rating forsaid third element, said strength rating for said fourth element, andsaid strength rating for said fifth element are each determined using alook-up table.
 13. The method of claim 12, wherein the look-up tableprovides an outcome for each possible combination of answers to saidobjective question.
 14. The method of claim 1, additionally comprising:determining based on said objective questions, by said computer, aninherent risk profile, wherein the inherent risk profile comprises aplurality of threat origins and a risk rating for each of the threatorigins.
 15. The method of claim 1, additionally comprising: determiningbased on said objective questions, by said computer, a preparednessprofile, wherein said preparedness profile comprises a plurality oforganizational safeguards and a strength rating for each of saidorganizational safeguards.
 16. A system for evaluating cyber readinessof an organization, the system comprising: a memory storage device; anda processor in communication with said memory storage device andconfigured to: present a plurality of objective questions to a user,wherein each of the objective questions has one or more predefinedanswers to be selected by said user; receive answers to said pluralityof objective questions from said user; determine based on said answers arisk rating for a threat origin of a cyber-attack; determine based onsaid answers a strength rating for an organizational safeguard againstsaid threat origin; compare said risk rating of said threat origin tosaid strength rating of said organizational safeguard; determine basedon said comparison the cyber readiness rating of said organizationalsafeguard from said cyber-attack by said threat origin; and present thecyber readiness rating of said organizational safeguard.
 17. The systemof claim 16, wherein presenting the cyber readiness rating of saidorganization comprises: presenting said threat origin and said riskrating of said threat origin; and presenting said organizationalsafeguard and said strength rating of said organization safeguard. 18.The system of claim 17, additionally comprising: identifying arelationship between said risk rating of said threat origin and saidstrength rating of said organizational safeguard.
 19. The system ofclaim 18, wherein said cyber readiness rating of said organizationalsafeguard from said cyber-attack by said threat origin comprises one ofa plurality of levels, the levels being severe gap, possible concern,and okay.
 20. The system of claim 16, wherein determining said riskrating of said threat origin comprises: determining based on saidanswers a plurality of threat vectors, wherein the threat vectorscorrespond to the threat origin; and determining based on said answers arisk rating for each of said threat vectors.
 21. The system of claim 20,wherein determining said risk rating of said threat origin tocyber-attack further comprises: determining based on said risk ratingfor each of said threat vectors a cumulative risk rating for said threatorigin.
 22. The system of claim 16, wherein the processor isadditionally configured to: correlate one or more of said objectivequestions to a plurality of elements of said organizational safeguard,wherein said elements collectively determine said strength rating ofsaid organizational safeguard.
 23. The system of claim 22, whereindetermining of said strength rating of said organizational safeguardcomprises: determining a strength rating for a first element of saidorganizational safeguard based on at least one of said answers; anddetermining a strength rating for a second element of saidorganizational safeguard based on at least one of said answers.
 24. Thesystem of claim 23, wherein determining of said strength rating of saidfirst element comprises: determining a strength rating for a thirdelement of said organizational safeguard based on said strength ratingof said first element and said strength rating of said second element.25. The system of claim 24, wherein determining of said strength ratingof said organizational safeguard additionally comprises: determining astrength rating for a fourth element of said organizational safeguardbased on at least one of said answers; and determining a strength ratingfor a fifth element of said organizational safeguard based on saidstrength rating of said third element and said strength rating of saidfourth element.
 26. The system of claim 25, said strength rating forsaid first element, said strength rating for said second element, saidstrength rating for said third element, said strength rating for saidfourth element, and said strength rating for said fifth element are eachdetermined using a look-up table.
 27. The system of claim 26, whereinthe look-up table provides an outcome for each possible combination ofanswers to said objective questions.
 28. The system of claim 16, whereinthe processor is additionally configured to: determine based on saidobjective questions an inherent risk profile, wherein the inherent riskprofile comprises a plurality of threat origins and a risk rating foreach of the threat origins.
 29. The system of claim 16, wherein theprocessor is additionally configured to: determine based on saidobjective questions a preparedness profile, wherein said preparednessprofile comprises a plurality of organizational safeguards and astrength rating for each of said organizational safeguards.
 30. Anon-transitory computer-readable medium tangibly storing computerprogram instructions which when executed by a processor, causes theprocessor to: present a plurality of objective questions to a user,wherein each of the objective questions has one or more pre-definedanswers to be selected by said user; receive answers to said pluralityof objective questions from said user; determine based on said answers arisk rating for a threat origin of a cyber-attack; determine based onsaid answers a strength rating for an organizational safeguard againstsaid threat origin; compare the risk rating of said threat origin tosaid strength rating of said organizational safeguard; determine basedon said comparison a cyber readiness rating of said organizationalsafeguard from said cyber-attack by said threat origin; and present thecyber readiness rating of the organizational safeguard.